Friday, August 13, 2010

Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites


Over the past week, I've been tracking -- among the countless number of campaigns currently in process of getting profiled/taken care of internally -- a blackhat SEO campaign that's persistently compromising legitimate sites within small ISPs in the Netherlands and Switzerland, for scareware-serving purposes.

Although this beneath the radar targeting approach is nothing new, it once again emphasizes on a well proven mentality within the cybercrime ecosystem - collectively the hundreds of thousands of low profile sites, if well poisoned with bogus/timely/relevant blackhat SEO content, can outpace the hijacked traffic from a high profile site due to the shorter time frame it would take for the the administrators to clean it up/ quicker community members' reaction based on prioritization due to the importance of the site.

What's particularly interesting about the campaign, is the fact that the redirectors/scareware domains were previously parked within our "dear friends at AS31252, STARNET-AS StarNet Moldova. Go through related posts on STARNET-AS StarNet Moldova:
Let's dissect the campaign, expose the complete portfolio of scareware/redirector domains, emphasize on the monetization vector and how this blackhat SEO campaign is using the same scareware affiliate network like the one campaigns launched through Gumblar's infrastructure (Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign) continue using.

Once the self.location.href = condition is met, the following redirectors take place, until the user is exposed to the ubiquitous "You're infected" screen:


- dotyuzcifl.ru/liq/?st= - 200.63.44.211 - Email: kireev@ravermail.com (NS: ns1.freemobiledns.mobi Email: akorn1022@gmail.com)
    - errgxhxzerr.co.cc/r/feed.php?k= - 200.63.44.211, AS27716, ASEVELOZ - Email: andrew_bush52@hotmail.com
    - errgxhxzerr.co.cc/tube/?k=
    - errgxhxzerr.co.cc/r/sss.php
        - www4.protection-guard89.co.cc - 74.118.193.81, AS46664 - Email: abc.emm@gmail.com
        - www1.virus-detection50.co.cc/?p=p52 - 94.228.220.117, AS47869, NETROUTING-AS - Email: abc.emm@gmail.com

- Detection rate:
packupdate9_289.exe - Win32/TrojanDownloader.FakeAlert.AEY - 6/ 42 (14.3%)
MD5   : 3e4920aa3ff24db64372ae96854f3f02
SHA1  : 75bcb6acf5ff65269bfc5f685e5d03688b8b1ade
SHA256: 7272f889520cd1d1898ccd91f1b01835cf53f06b452041baae0336796ff09fd7

Responding to 94.228.220.117, AS47869, NETROUTING-AS are also the following domains:
www1.virus-detection50.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection51.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection52.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection53.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection54.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection55.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection56.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection57.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection58.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection59.co.cc/?p=p52 - Email: abc.emm@gmail.com
www2.mypersonalshield70.in - Email: gkook@checkjemail.nl
www2.mypersonalshield71.in - Email: gkook@checkjemail.nl
www2.mypersonalshield72.in - Email: gkook@checkjemail.nl


It gets even more interesting, and cybercrime ecosystem-friendly, when we see that one of the scareware redirector domains, has been registered with the same email as the scareware domain redirector used in the monetization vector of Gumblar's campaigns.

The currently used uramozat.cz.cc /scanner10/?afid=76 - 195.16.88.62, AS50109, HOSTLIFE-AS WIBO PROJECT LLC - Email: ydeconspi@nice-4u.com is registered using the same email as the recently used hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - Email: ydeconspi@nice-4u.com from the "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign".

This centralization of monetization networks ultimately serves best the security industry and law enforcement, and remains a trend rather than a fad.

Responding to 195.16.88.62 are also the following affiliate redirector domains:
sulphomihin.cz.cc - Email: ydeconspi@nice-4u.com
suppcorfoke.cz.cc - Email: ydeconspi@nice-4u.com
swinumlobzua.cz.cc - Email: ydeconspi@nice-4u.com
taitretarjus.cz.cc - Email: ydeconspi@nice-4u.com
talinighge.cz.cc - Email: ydeconspi@nice-4u.com
tangmomawigg.cz.cc - Email: ydeconspi@nice-4u.com
taniverwea.cz.cc - Email: ydeconspi@nice-4u.com
tedroidragin.cz.cc - Email: ydeconspi@nice-4u.com
tifucacel.cz.cc - Email: ydeconspi@nice-4u.com
ungelacoc.cz.cc - Email: ydeconspi@nice-4u.com
unriprazzhalf.cz.cc - Email: ydeconspi@nice-4u.com
uramozat.cz.cc - Email: ydeconspi@nice-4u.com
vochicorneu.cz.cc - Email: ydeconspi@nice-4u.com
voihuavino.cz.cc - Email: ydeconspi@nice-4u.com
voldcafuri.cz.cc - Email: ydeconspi@nice-4u.com
weineitronty.cz.cc - Email: ydeconspi@nice-4u.com
wintotersstal.cz.cc - Email: ydeconspi@nice-4u.com
worddreamelpa.cz.cc - Email: ydeconspi@nice-4u.com
wordrochosom.cz.cc - Email: ydeconspi@nice-4u.com
xboxunechin.cz.cc - Email: ydeconspi@nice-4u.com
ydeconspi.cz.cc - Email: ydeconspi@nice-4u.com
zilrebelma.cz.cc - Email: ydeconspi@nice-4u.com
zukavito.cz.cc - Email: ydeconspi@nice-4u.com
Complete list of the URLs for compromised sites (CURRENTLY ACTIVE) hosted at AS15547, TVS2NET-NETPLUS Servicing cable-network customer in CH.
abitasion.ch /ilIucpUWAeima
abitasion.ch /ilOeUSbRtm/
abmontage.ch /73NJub8iWea/
absteam.ch /UfHZl8Qm7/
accueiletpartagesuisse.ch /WbVc0fiHIabe/
accueiletpartagesuisse.ch /Wbytpauohcjk/
adikt-a.ch /isisAuMOImXW/
adikt-a.ch /isIWcgUV7L/
adsite.ch /lAULixdSoWmA/
adumas.ch /QVxaomZ7er
aemo-valais.ch /uaIagow/
aerobic-chablais.ch /IYMy3IAejmiq/
aerobic-chablais.ch /IYuMW8yHJ/
a-fauchere.ch /rU8alutON/
agpinstallations.ch /WAoxnHauvyUi/
agpinstallations.ch /WAwANoXv9rek/
alayra.ch /ufgMxORjbNz9i/
alex-xxxl.ch /u9VUyo9hw/
alpirama.ch /A0Sc3Iu/
alterfamiliae.ch /RgauIMVZ/
ametys.ch /IZ2eblxoL3tSN/
ametys.ch /IZbAaYy/
amis-orgue-moudon.ch /WuIatdWMbRSg/
amis-orgue-moudon.ch /WuYUoH3/
apf-hev-fr.ch /drkoUqjx/
artdidier.ch /vZkR7ap2gQiAU/
artefax.ch /u8oApWua/
artefax.ch /u8qrYoi8ASh/
artisanatbramoisien.ch /jRVAEWyXqLsM/
artisane.ch /Scg3lEv/
artisan-fondeur.ch /RX0y9OdUu/
artist-e.ch /j8WfiIEa/
asb-coaching.ch /uJWOIdHeuai/
atelier-bois.ch /skJun0elUgM8/
ateliercube.ch /3bqNHnLy/
attoufoula-al-baria.ch /scWZHibIemAqr/
autoecole-sion.ch /kuWcUM3yn9xgo/
aux-doigts-de-fee.ch /eooVapJNWcuHx/
auxpetitsbois.ch /8OxIaoWeydbc7/
avgf.ch /xr3t0uvanegb/
avmep.ch /niyW3RHiaoE/
avmep.ch /nizXOdumW/
avosbagages.ch /ebaAuynxel2L/
avta.ch /Zu0VoixA/
banques-assurances.ch /WEeyt7iUYL/
batibois.ch /hgAbavx/
batibois.ch /hghkyUNO9/
bconseils.ch /tAIUzJVn/
bc-production.ch /9XupRmIbE/
bdelfolie.ch /ushj20miJW9wu/
bdelfolie.ch /usIUomaYfWeN/
becoval.ch /aVUqW9xYbp/
bedat-conseils.ch /AUyYRtuhWrpA/
belfid.ch /ftRbtgl3/
bellodelledonne.ch /oX0kUuN/
bellodelledonne.ch /oXoNgekf7i/
bestwear.ch /j0iyeJ3v/
bienecrire.ch /YAE9ldiakvy/
biocave.ch /AuhuwoAUxOI3W/
birman.ch /Z7MoeVXgAafL/
blanchival.ch /ANabQIgk0zeO/
blanchival.ch /ANJjlQgHb/
bnbmorel.ch /yfE3AyWoQx8/
bonnes-occases.ch /HlYMhcE/
bouquins.ch /IWH0dAa/
cafepsy.ch /ZoiAcIWlRM/
calzolarorocco.ch /9a8aYRjIrW/
camping-sedunum.ch /SvvMQjsem/
canadulce.ch /wuIlMriaN/
canadulce.ch /wuQYryJ/
carrgeiger.ch /ehsVy2uXxoAWE/
carte-menu.ch /JQinNyA/
castalie.ch /cq3xeyWmjaf/
catherineritter.ch /AdUJiRq/
catherineritter.ch /AdUqRAiSnNsyv/
cavedegoubing.ch /ERNzcu9iagdo/
cave-des-chevalieres.ch /WuunyOq/
celinerenaud.ch /Qj7dHcLo/
celinerenaud.ch /QjZoUyaJ/
centre-autos.ch /lNUYRuWnA/
cere-sa.ch /IyEHdVqAIYbXL/
cere-sa.ch /IyknWJr/
cgt.ch /egAaVUfne/
chalets-for-sale.ch /SaNXWcvU/
chavaz-archi.ch /8iAZxEaJ/
chavaz-archi.ch /8iQOjlS/
cretillons.ch /ianeZc2/


Responding to 200.63.44.211 (the original redirector domains dotyuzcifl.ru; errgxhxzerr.co.cc), AS27716, ASEVELOZ Eveloz are the remaining domains part of the scareware/redirection/Fake Adobe Player (tube/Adobe__Flash__Player.exe) campaign.

- Detection rate:
Adobe__Flash__Player.exe - Heuristic.BehavesLike.Win32.Suspicious.H - 11/ 42 (26.2%)
MD5   : 8a10909c487a739e85028a19a1e898dc
SHA1  : d9f7d78fe245f8df04fa398835b52d5a2c2d6af7
SHA256: 63befe78a7895a8efc6d893491d8f77ef8ada1cd52d562587490a79f29b65336

- Upon execution phones back to:
qualattice.com - 64.20.63.58 - Email: trough@mobiletonight.com
jaxcage.net - 91.188.60.233, AS6851, BKCNET "SIA" IZZI - Email: delee@easteroffers.com
mybubblebean.com - 85.234.190.47, AS6851, BKCNET "SIA" IZZI - Email: place@popupquote.com
freejaxbird.net - 77.78.239.42 - Email: delee@easteroffers.com

07tqqwem.ru - Email: pishkov@rbcmail.ru
0qhe7y6o.ru - Email: pishkov@rbcmail.ru
0st44x7z.ru - Email: stroganov@mail.ru
0w6scx6a.ru - Email: goncharov@rapworld.com
20xzpzga.ru - Email: danilov@boatnerd.com
23qjmdic.ru - Email: lebedev@rapworld.com
28iue5ri.ru - Email: kireev@bgay.com
28jnbuak.ru - Email: kirillov@ravermail.com
2poaxz3k.ru - Email: alekseev@land.ru
2tmo2ba2.ru - Email: kustov@remixer.com
30zcz8ot.ru - Email: slabkov@bigmailbox.net
32iafdnp.ru - Email: erohin@intimatefire.com
3a0stbqe.ru - Email: golodnikov@blida.info
3jruf6nc.ru - Email: taranov@inorbit.com
40ktc2tn.ru - Email: antonov@insurer.com
4hp2ag6c.ru - Email: belov@kidrock.com
4mausx2w.ru - Email: lavrov@blackcity.net
4y8pqcby.ru - Email: pokatilov@realtyagent.com
5eqq3sgj.ru - Email: abakumov@smtp.ru
5gsco2w5.ru - Email: davidov@bikermail.com
5q4eyd2w.ru - Email: stepanov@pop3.ru
5znhff2s.ru - Email: kalinin@boarderzone.com
6ojj8sks.ru - Email: patralov@bigheavyworld.com
6pgsqndh.ru - Email: baklanov@mail333.com
83qndvnj.ru - Email: taranov@relapsecult.com
868r5e0b.ru - Email: udalov@rastamall.com
8n7pnyyr.ru - Email: patralov@front.ru
8reclame.ru - Email: kirikov@billssite.com
atyyyopg.ru - Email: viktorov@bikerheaven.net
azaamdwo.ru - Email: samsonov@bikermail.com
bvo62o0i.ru - Email: kirillov@rastamall.com
c28xd2ck.ru - Email: luzgin@front.ru
cf8sagkn.ru - Email: alekseev@ratedx.net
ckmdbrio.ru - Email: ulyanov@rapworld.com
crosslinks-services.ru - Email: ekomasov@kidrock.com
csokolom.ru - Email: kirikov@irow.com
cw5k47ye.ru - Email: viktorov@bicycling.com
duz5n2ca.ru - Email: belov@billssite.com
dwunvuum.ru - Email: stepanov@pop3.ru
ea7xh4vw.ru - Email: goncharov@repairman.com
err39hxzerr.co.cc - Email: andrew_bush52@hotmail.com
err3ghxzerr.co.cc - Email: andrew_bush52@hotmail.com
err5phxzerr.co.cc - Email: andrew_bush52@hotmail.com
err61hxzerr.co.cc - Email: andrew_bush52@hotmail.com
err6ehxzerr.co.cc - Email: andrew_bush52@hotmail.com
err6jhxzerr.co.cc - Email: andrew_bush52@hotmail.com
err8jhxzerr.co.cc - Email: andrew_bush52@hotmail.com
err8whxzerr.co.cc - Email: andrew_bush52@hotmail.com
errb9hxzerr.co.cc - Email: andrew_bush52@hotmail.com
errbehxzerr.co.cc - Email: andrew_bush52@hotmail.com
errbqhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errcihxzerr.co.cc - Email: andrew_bush52@hotmail.com
errdhhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errekhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errfdhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgqhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgthxzerr.co.cc - Email: andrew_bush52@hotmail.com
errguhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgvhxzerr.co.cc - Email: andrew_bush52@hotmail.com


f50rbdb8.ru - Email: samsonov@kidrock.com
fbbktj2z.ru - Email: zhukov@kidrock.com
fimpvs8t.ru - Email: zhuravlev@blackvault.com
fppf2h28.ru - Email: danilov@pochta.ru
gayq8rgx.ru - Email: kovalev@blackcity.net
geavdwal.info
gerotal.info

gztyue8w.ru - Email: kirillov@boatnerd.com
h6poe6or.ru - Email: beglov@inorbit.com
hc6zxms4.ru - Email: lebedev@intimatefire.com
hem3oxjh.ru - Email: ulyanov@boarderzone.com
hszwwvjq.ru - Email: kustov@fromru.com
i2wv8rdm.ru - Email: shedrin@billssite.com
i4nhjopf.ru - Email: antonov@fromru.com
i7in0b64.ru - Email: ulyanov@kinkyemail.com
ihbkbzcm.ru - Email: abdulov@iname.com
io0yfyc8.ru - Email: molchanov@repairman.com
j6yeky7p.ru - Email: bazhenov@krovatka.su
j7k6xze2.ru - Email: vasilev@pop3.ru
jimm2rusru.ru - Email: kustov@rapworld.com
jimm4fan09.ru - Email: antonov@blida.info
jimmjimm895.ru - Email: kuznecov@insurer.com
jimmkolesoru.ru - Email: naumov@boarderzone.com
jimmonline0.ru - Email: miheev@gmail.com
jimmplum2.ru - Email: vishnevskiy@pop3.ru
jimmthebest1.ru - Email: aleksandrov@blackcity.net
jnano5gh.ru - Email: zhukov@realtyagent.com
jokerjokk.ru - Email: beglov@blida.info
kefpvbsi.ru - Email: kalinin@boarderzone.com
kfgemaae.ru - Email: ulyanov@bigmailbox.net
koliander.ru - Email: zaicev@insurer.com
liononlinensd.ru - Email: nikitin@rastamall.com
lokipol.ru - Email: kirikov@bikerheaven.net
mjbims7m.ru - Email: pishkov@ravermail.com
mrt0zqcb.ru - Email: shedrin@pochtamt.ru
mxek5t5g.ru - Email: beglov@repairman.com
nesselandeportal.info
ni2m4kua.ru - Email: zhukov@bikermail.com
nv8os6yt.ru - Email: kuznecov@mail.ru
o3wg4sya.ru - Email: abakumov@bolbox.com
ocggnaif.ru - Email: zaicev@iname.com
ofz5qzgu.ru - Email: zaicev@ravermail.com
oh7iumr7.ru - Email: belov@inorbit.com

onlinefeeds.ru - Email: beglov@insurer.com
onlinegearsd.ru - Email: luzgin@smtp.ru
onlinejimmmovse.ru - Email: abakumov@realtyagent.com
onlineonlkiok.ru - Email: kirillov@billssite.com
pgvvua6j.ru - Email: goncharov@bicycling.com
pororkol.ru - Email: erohin@bikerider.com
prc6t7z3.ru - Email: kirikov@pochtamt.ru
psxdv0nr.ru - Email: zhukov@inbox.ru
pvbsiy5y.ru - Email: komarov@kinkyemail.com
q3ysg05s.ru - Email: golodnikov@insurer.com
qbecqe0s.ru - Email: ulyanov@bicycling.com
qec5beqn.ru - Email: morozov@pochta.ru
qfnye2t7.ru - Email: bednyakov@irow.com
qpsxdv0n.ru - Email: viktorov@blackcity.net
rikosdhu.ru - Email: pokatilov@pisem.net
ronaldknol.ru - Email: taranov@smtp.ru
rs3gpd0m.ru - Email: alekseev@bicycledata.com
rudjimmdjimm.ru - Email: alekseev@boarderzone.com
s4gvhd35.ru - Email: lebedev@blackvault.com
s748eop4.ru - Email: aleksandrov@repairman.com
sgivnn0t.ru - Email: volkov@repairman.com
stpf6qpv.ru - Email: bednyakov@relapsecult.com
sv4wmtxj.ru - Email: ivanov@bikerider.com
t0a2afyq.ru - Email: ivanov@boatnerd.com
t3tzynvj.ru - Email: bazhenov@rapstar.com
trustincompanies.ru - Email: abdulov@insurer.com
u5fyfzjt.ru - Email: polovov@rbcmail.ru
ucf47vnu.ru - Email: abdulov@bikerider.com
uplcash.com - Email: director@climbing-games.com
v5w3xgzn.ru - Email: morozov@rbcmail.ru
vgksry7k.ru - Email: vishnevskiy@land.ru
w8iroomb.ru - Email: golodnikov@pop3.ru
x7p03g0j.ru - Email: kirikov@front.ru
xni27ftd.ru - Email: timofeev@mail.ru
xsd3id8t.ru - Email: kovalev@pochta.ru
xthjrgxz.ru - Email: pokatilov@insurer.com
xu44i03y.ru - Email: arhipov@insurer.com
yi0ewtmd.ru - Email: antonov@blackvault.com
yp7o07nq.ru - Email: golodnikov@rbcmail.ru
z26hggcb.ru - Email: pokatilov@fromru.com
z656cvje.ru - Email: slabkov@boatnerd.com
zsrd4xj5.ru - Email: kuznecov@iname.com
zznks8fh.ru - Email: bulaev@registerednurses.com


Could we have a blackhat SEO campaign, without a Koobface gang connection? Appreciate my rhetoric. Parked at 200.63.44.48, again within AS27716, ASEVELOZ Eveloz are the following domains:
35l3cv2oywwycrfz1yo3.com - Email: michaeltycoon@gmail.com
4idmcxlczdy52yh7rklb.com - Email: michaeltycoon@gmail.com
56ml7zj047l0x6wm9v6y.com - Email: michaeltycoon@gmail.com
8vsgzuu084e9i8ohl5nn.com - Email: michaeltycoon@gmail.com
aatyamlkpgxp8h3m17ky.com - Email: michaeltycoon@gmail.com
bvzpvunifooe8t946d2p.com - Email: michaeltycoon@gmail.com
i905jzsht33cd4kfcqvh.com - Email: michaeltycoon@gmail.com
jhn72w76khysuxdgj0bo.com - Email: michaeltycoon@gmail.com
k78ju8lyzratna0c5r7m.com - Email: michaeltycoon@gmail.com
lrbx4hzznbdmedfk4xrd.com - Email: michaeltycoon@gmail.com
ls1eepnzj784nid96prn.com - Email: michaeltycoon@gmail.com
n0itv7fh7qscrfse3i1i.com - Email: michaeltycoon@gmail.com
pdusxsiuedamjc83qlpi.com - Email: michaeltycoon@gmail.com
rabotaetpolubomu.net - Email: michaeltycoon@gmail.com
t0vqred4itv4pmo488k9.com - Email: michaeltycoon@gmail.com
thmyb0s6se5febs0ghb8.com - Email: michaeltycoon@gmail.com
u5a05q1dnmr4jwqrnav3.com - Email: michaeltycoon@gmail.com
uq1wedg9tr523wbafdzp.com - Email: michaeltycoon@gmail.com
vk4j2x7n49nq1il9vm5h.com - Email: michaeltycoon@gmail.com
ysut5gx094w2dddjtswh.com - Email: michaeltycoon@gmail.com

Deja vu! Where do we know the michaeltycoon@gmail.com email from? From the "A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" campaign, and in particular from the fact that it was once directly connected to the Koobface gang -- this is not an email that was used to register a domain belonging to the scareware affiliate network, instead it's an email used to register a client-side exploits serving domain parked on the same IP where a hardcore Koobface C&C from Koobface 1.0's infrastructure was responding to - urodinam.net
  • Dissecting the Mass DreamHost Sites Compromise - "Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php"
Blackhat SEO campaigns, migration from the Koobface-friendly AS31252, STARNET-AS StarNet Moldova, plus a direct connection established as once a customer is migrating, he's usually taking all of his dirty luggage with him, proves that, there's no such thing as coincidence within the cybercrime ecosystem, there's just a diverse infrastructure where everyone appears to be self-serving their needs as a service, consequently forwarding responsibility for someone else's actions to the infrastructure they are abusing.

Related blackhat SEO/scareware monetization assessments:
Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, August 09, 2010

Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign


They are back again (Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails; Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign) for a fresh start of the week, with a currently ongoing spam campaign, serving scareware and client-side exploits, using a "Thank you for your payment"/"Thank you for your EXPRESS payment" themed subjects impersonating popular brands such as Best Buy, Macy's, Target and Evite.

Let's dissect the campaign, its structure, emphasize on the monetization strategy, and expose the complete portfolio of the domains involved in the campaign.

Sample email:
"Subject :Thank you for your payment Don’t miss a thing – Add support@e.macys.com to your email address book! Click here if you are unable to see images in this email.

1. Sign in on macys.com at https://www.macys.com/myinfo/index.ognc
2. Click on “My Account” – “My Profile” at https://www.macys.com/myinfo/profile/index.ognc
3. Uncheck the box Receive email notification when statements are available to view online and when payments are due.
4. Click on “Update Profile”
5. Expect the change to take place in 3 days
©2009 macys.com Inc., 685 Market Street, Suite 800, San Francisco, CA 94105. All rights reserved.
"

Compared to previous campaigns, the directory structure (fast fluxed :8080/index.php?pid=10; maliciousurl.ru /QWERTY.js; maliciousurl.ru /ODBC.js; LAN.js; Access.js; End_User.js etc.) of this one remains virtually the same, depending, of course, on the angle you choose for dissecting it.


Sample campaign structure:
- musicsgeneva.com /x.html - "PLEASE WAITING 4 SECOND..."
- opus22.org /x.html - "PLEASE WAITING 4 SECOND..."
- shamelessfreegift.com /x.html - "PLEASE WAITING 4 SECOND..."
- physicianschoiceonline.com /x.htm - "PLEASE WAITING 4 SECOND..."
    - baymediagroup .com:8080/index.php?pid=10 - client-side exploits - 188.165.95.133; 188.165.192.106; 91.121.108.61; 94.23.60.106; 178.32.5.233 - Email: fb@bigmailbox.ru
        - hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - scareware monetization

- Detection rate:
antivirus_24.exe - Trojan.Win32.FraudPack.berq - Result: 16/42 (38.1%)
File size: 166912 bytes
MD5...: b3cd297c654d3be52ffeb5f6a5ff13b4
SHA1..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5

Upon execution, the sample phones back to:
httpsstarss.in /httpss/v=40&step=2&hostid= - 188.72.226.154 - Email: stevieksbaiz@hotmail.com
httpstatsconfig.com /getfile.php?r= - 204.12.226.173 - Email: httpstatsconfig.com@evoprivacy.com


Responding to 204.12.226.173 are also:
ns1.desktopsecurity2010ltd.com - Email: sixtakidlt2@hotmail.com
ns2.desktopsecurity2010ltd.com
www.desktopsecurity2010ltd.com
httpstatsconfig.com
ns1.httpstatsconfig.com
ns2.httpstatsconfig.com
desktopsecuritycorp.com
ns1.desktopsecuritycorp.com
ns2.desktopsecuritycorp.com


Domains using the same name server, ns1.freedomen.info - 209.85.99.32 - Email: mail@vetaxa.com
adsonlineinc.com - 66.96.239.86
picmonde.com - 94.228.220.93
bonblogger.com - 94.228.220.93
h2fastpornpics.com - 94.228.220.93
celebsfinectpics.com - 94.228.209.133 - Email: temp.for.loan@gmail.com
celebsfreeimages.com - 94.228.209.134 - Email: hannigey233@hotmail.com
picindividuals.com - 94.228.220.93
picbloggerprojet.com - 94.228.220.93
httpsstarss.in
hippocounter.info - 96.9.177.21
genesisbeta.net - 94.228.220.94


Name servers of notice:
ns1.getyourdns.com - 194.79.88.121
ns2.getyourdns.com - 77.68.52.52
ns3.getyourdns.com - 87.98.149.171
ns4.getyourdns.com - 66.185.162.248
ns1.instantdnsserver.com - 194.79.88.121 - Email: depot@infotorrent.ru
ns2.instantdnsserver.com - 77.68.52.52
ns3.instantdnsserver.com - 87.98.149.171
ns4.instantdnsserver.com - 66.185.162.248

Client-side exploits serving domains part of the campaign:
aquaticwrap.ru - Email: vibes@freenetbox.ru
aroundpiano.ru - Email: vibes@freenetbox.ru
baybear.ru - Email: vibes@freenetbox.ru
baymediagroup.com - Email: fb@bigmailbox.ru
bayjail.ru - Email: bushy@bigmailbox.ru
betaguy.ru - Email: vibes@freenetbox.ru
blockoctopus.ru - Email: semi@freenetbox.ru
budgetdude.ru - Email: totem@freenetbox.ru
chaoticice.ru - Email: vibes@freenetbox.ru
clannut.ru - Email: totem@freenetbox.ru
clockledge.ru - Email: totem@freenetbox.ru
coldboy.ru - Email: totem@freenetbox.ru
countryme.ru - Email: totem@freenetbox.ru
dayemail.ru - Email: totem@freenetbox.ru
diseasednoodle.ru - Email: vibes@freenetbox.ru
discountprowatch.com - Email: bike@fastermail.ru
dyehill.ru - Email: angles@fastermail.ru
easychurch.ru - Email: vibes@freenetbox.ru
economypoet.ru - Email: semi@freenetbox.ru
envirodollars.ru - Email: vibes@freenetbox.ru
forhomessale.ru - Email: dull@freemailbox.ru
galacticstall.ru - Email: vibes@freenetbox.ru
getyourdns.com - Email: fb@bigmailbox.ru
hairyartist.ru - Email: vibes@freenetbox.ru
lonelyzero.ru - Email: vibes@freenetbox.ru
lovingmug.ru - Email: vibes@freenetbox.ru
lowermatch.ru - Email: vibes@freenetbox.ru
luckyfan.ru - Email: vibes@freenetbox.ru
malepad.ru - Email: semi@freenetbox.ru
matchsearch.ru - Email: semi@freenetbox.ru
microlightning.ru - Email: vibes@freenetbox.ru
mindbat.ru - Email: semi@freenetbox.ru
mealpoets.ru - Email: totem@freenetbox.ru
nutcountry.ru - Email: dying@qx8.ru
obscurewax.ru - Email: vibes@freenetbox.ru
oceanobject.ru - Email: semi@freenetbox.ru
parkperson.ru - Email: semi@freenetbox.ru
penarea.ru - Email: dying@qx8.ru
ponybug.ru - Email: dying@qx8.ru
pocketbloke.ru - Email: angles@fastermail.ru
programability.ru - Email: dying@qx8.ru
rancideye.ru - Email: vibes@freenetbox.ru
rawscent.ru - Email: vibes@freenetbox.ru
recordsquare.ru - Email: totem@freenetbox.ru
rescuedtoilet.ru - Email: vibes@freenetbox.ru
riotassistance.ru - Email: angles@fastermail.ru
scarletpole.ru - Email: vibes@freenetbox.ru
secondgain.ru - Email: vibes@freenetbox.ru
shortrib.ru - Email: vibes@freenetbox.ru
slaveperfume.ru - Email: totem@freenetbox.ru
sodacells.ru - Email: dying@qx8.ru
smelldrip.ru - Email: totem@freenetbox.ru
starvingarctic.ru - Email: vibes@freenetbox.ru
stagepause.ru - Email: totem@freenetbox.ru
sweatymilk.ru - Email: vibes@freenetbox.ru
tartonion.ru - Email: vibes@freenetbox.ru
tunemug.ru - Email: tips@freenetbox.ru
wearyratio.ru - Email: vibes@freenetbox.ru
yummyeyes.ru - Email: vibes@freenetbox.ru

UPDATED: Thursday, August 12, 2010: Historical OSINT for client-side exploit serving domains part of Gumblar's campaigns for April/May 2010 using hostdnssite.com (Email: cop@qx8.ru) name server:
bestdarkman.info - Email: wwww@qx8.ru
bestwebclub.info - Email: asleep@5mx.ru
buyfootjoy.info - Email: mellow@5mx.ru
carswebnet.info - Email: mynah@freenetbox.ru
cityrealtimes.info - Email: asleep@5mx.ru
clandarkguide.info - Email: mellow@5mx.ru
clandarksky.info - Email: wwww@qx8.ru
darkangelcam.info - Email: mellow@5mx.ru
darkbluecoast.info - Email: wwww@qx8.ru
darksidenetwork.info - Email: mellow@5mx.ru
digitaljoyworld.info - Email: mellow@5mx.ru
eroomsite.info - Email: feint@qx8.ru
esunsite.info - Email: wwww@qx8.ru
extrafreeweb.info - Email: mynah@freenetbox.ru
feedandstream.info - Email: mynah@freenetbox.ru
gloomyblack.info - Email: wwww@qx8.ru
homesweetrv.info - Email: mynah@freenetbox.ru
indiawebnet.info - Email: mynah@freenetbox.ru
joylifein.info - Email: mellow@5mx.ru
joysportsworld.info - Email: mellow@5mx.ru
justroomate.info - Email: feint@qx8.ru
kenjoyworld.info - Email: mellow@5mx.ru
learnwebguide.info - Email: mynah@freenetbox.ru
luxurygenuine.info - Email: asleep@5mx.ru
myfeedsite.info - Email: feint@qx8.ru
newsuntour.info - Email: wwww@qx8.ru
oneroomhome.info - Email: feint@qx8.ru
realshoponline.info - Email: asleep@5mx.ru
redsunpark.info - Email: feint@qx8.ru
roomstoretexas.info - Email: feint@qx8.ru
suncoastatlas.info - Email: feint@qx8.ru
sunstarvideo.info - Email: feint@qx8.ru
supersunbeds.info - Email: feint@qx8.ru
superwebworld.info - Email: asleep@5mx.ru
sweetpeapots.info - Email: mynah@freenetbox.ru
sweetteenzone.info - Email: mynah@freenetbox.ru
thedarkwaters.info - Email: wwww@qx8.ru
thejoydiet.info - Email: mellow@5mx.ru
therealclamp.info - Email: drum@maillife.ru
thesunchaser.info - Email: wwww@qx8.ru
thesweetchild.info - Email: mynah@freenetbox.ru
theultimateweb.info - Email: asleep@5mx.ru
theyellowsun.info - Email: feint@qx8.ru
webguidetv.info - Email: asleep@5mx.ru
webnetenglish.info - Email: mynah@freenetbox.ru
yourprintroom.info - Email: feint@qx8.ru
yoursweetteen.info - Email: mynah@freenetbox.ru 
 

UPDATED: Friday, August 13, 2010:
The use of Yahoo Groups is still ongoing. Sample URL: groups.yahoo .com/group/nfldcsyi/message which includes a link to perfectpillcool .com:8080.

The campaign is ongoing, updates will be posted as soon as new developments emerge.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.